6 Steps To Better Customer Data Protection

Privacy isnt a concern just for the Googles and Facebooks of the world. Here are six ways small and midsize businesses (SMB) can better protect their customers -- and themselves.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
Monday was
Data Privacy Day
. Do you know where your customer information is?
If your answer is somewhere in the no to sort of, for the most part range, youve got work to do. Even if your answer is a resounding yes, it might be time to revisit how you handle and protect customer information -- especially if those processes were developed a couple of years ago or more.
The penalties for poor data protection and privacy practices can be stiff, ranging from negative publicity and embarrassment to costly
fines
and
lawsuits
. The fallout can be broad. In a recent Harris Interactive poll sponsored by TRUSTe, 89% of U.S. consumers said they had avoided doing business with a company because of concerns about how it handled their online privacy.
[ Do companies share too much customer data? Read
FTC Sets Consumer Data Collection Limits
. ]
As a result, behemoths like Google and
Microsoft
are paying plenty of attention to customer data protection and privacy issues -- it would simply be bad business if they didnt. Google, for one, used Data Privacy Day to explain
how it handles government requests
for user data. Such requests
have been growing
in volume lately. Yet protecting customer information isnt just a Fortune 500 issue; it affects companies of nearly all shapes and sizes.
In an interview with
InformationWeek
,
Online Trust Alliance
executive director and president Craig Spiezle shared six ways SMBs can polish their approach to data protection and privacy matters.
1. Make Customer Data More Than An IT Problem.
A common SMB approach to safeguarding customer information is to treat it as an IT responsibility. Fair enough, but too many SMBs treat it as
only
an IT responsibility, according to Spiezle. While IT is usually best suited to handle the technologies and technical processes involved in storing and securing data, it is often in the dark regarding how data is used and shared elsewhere in the organization. In fact, Spiezle said his recent work with the FBI and U.S. Secret Service revealed that confusion among company executives and employees is a regular roadblock in data-breach investigations.
[SMBs] have to view data protection and privacy as a holistic, company-wide effort, Spiezle said. If they only focus on it as an IT issue, they will most likely fail.
2. Reevaluate Your Data Encryption Practices.
Encrypting sensitive customer data might sound like a given in 2013.
Its not
. Failing to
use encryption properly
, Spiezle said, is a particularly high risk. An organization might encrypt customer data in certain states or process steps but fail to do so when its in motion or in use on an employees desktop, for example. Best practices and recommendations for encryption technologies will vary by business and industry; regulatory compliance like HIPAA or PCI will often have a heavy influence. Spiezle advises two global practices. First, if you havent recently re-evaluated your encryption processes and technologies, theyre probably not good enough. Companies that were encrypted based on what standards were five years ago are easily broken into today, Spiezle said.
Second, Spiezle recommends whole-disk encryption instead of file-level encryption, especially for employees who work with customer data on their PCs or mobile devices. Whole-disk encryption, such as whats on offer for Apples iOS or Microsofts Windows, can help better protect against fallout from lost laptops and other hardware.
3. Consider Data Loss Prevention (DLP) Technologies.
Spiezle advises larger companies to begin to consider a data loss prevention (DLP) platform for rules-based data monitoring and tracking. Such technologies enable an administrator to automate and enforce certain policies governing the use and movement of customer data. For example, set a rule that prevents any files that include a social security number from being sent outside the company. Youre preventing either an accidental disclosure or an employee overtly sending data out to someone [outside] the company, Spiezle said.
By larger companies, Spiezle is not referring to employees or revenue but the amount of data youre dealing with. Ive seen companies with as little as 100 employees using [DLP], Spiezle said. Certainly, anyone thats dealing in [healthcare] or a securities business is probably already thinking about this. A related scenario where smaller companies might find a return on a DLP investment: Service providers that count highly regulated industries and other high-risk businesses among their customers. It might be a necessity to be deemed trustworthy.
4. Include Customer Privacy In Cloud Vendor Negotiations.
As SMBs adopt cloud applications in greater numbers, Spiezle believes customer data protection needs to be a part of
contracts and negotiations
. The standard language in many such agreements might not be enough, he said. One example: We adhere to best practices to protect your data, or some version of that same claim. The problem, according to Spiezle: That may not be good enough for your business, and you may really want to pressure [them on] that. Another example: A cloud vendors general promise to notify you in the event of loss of sensitive information. The problem: They may not really know whats sensitive to your customers or your markets, Spiezle said.
As a result, Spiezle encourages SMBs to ask cloud providers to include addendums to the standard agreement that cover their specific needs for protecting customer data and privacy. Dont expect a warm response, though. Vendors dont want to do one-off deals. Nonetheless, its an important area to address. In the event of a data-related incident, your customers wont want to hear: Its the clouds fault.
5. Address The BYOD Issue.
Yes, bring-your-own-device (BYOD) is a customer data issue, too. Spiezles in the camp that sees
BYOD as inevitable
. No matter your viewpoint, employee mobile devices add an order of magnitude to protecting customer information and privacy. A recent survey paid for by EVault found nearly one-third of U.S. employees had corporate data stored on their personal smartphones.
Spiezle recommends remote wiping capability as a key tool for managing the mobile-related risks. At bare minimum, he advised including a BYOD policy clause that requires employees to notify the company in the event of a lost or stolen device so that it can take steps to prevent data loss.
6. Retain Data Logs For Longer.
As a matter of process rather than technology, Spiezle recommends keeping data logs for things like firewalls or application servers for at least one year, if not longer. What we find is a lot of administrators only keep them for 30 days, or they inadvertently shut them off when theyre doing something [else], Spiezle said. That can cause problems when trying to determine the cause of data-related incidents; Spiezle noted those incidents are often not discovered until after the fact.
Theres really no reason why you wouldnt want to keep your past 12 months of data in those logs, he said. Its really important because it can help in forensics capability. It can also help detect abnormal behavior and patterns of someone whos attempting to breach your perimeter.
InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
6 Steps To Better Customer Data Protection